Approaching Cloud Security From the Inside-Out
Security in the cloud requires an inversion of the traditional approach to security by assessing security from the inside-out rather than the outside-in.
During the reconnaissance step, an attacker looks for publicly available information on the Internet either to find a target that has vulnerabilities that can be compromised or to see what vulnerabilities exist within the cloud infrastructure of a specific organization.
To catch potential hackers during reconnaissance, implement continuous security monitoring to alert you to any scanning activity and abnormal login attempts or failures.
After reconnaissance on your own network, consider the types of exploits and malicious payloads that could be used.
An attacker can send an exploit or malicious payload several ways. To detect an attack, implement continuous security monitoring. Knowing about a vulnerability before a signature is created is a huge advantage against attackers.
During the execution of an attack, the attacker establishes a foothold by finding a vulnerability in the server service, or through the use of compromised credentials. He or she can gain further access via a local privilege escalation exploit.
During installation, an attacker typically installs a program (a kernel module or rootkit, for example) or file to maintain the connection and control without detection. That lets him or her operate internal assets remotely.
The connection from a compromised server or an outbound connection to an unusual IP address or host can indicate that an attacker has gained a foothold and is using it to install a program to help maintain connection and control.
An attacker may leverage command and control to stop certain services or processes, like antivirus or defensive tools, to hide their activity. Such suspicious behavior indicates an attack underway.
During the final step of an attack, an attacker carries out his or her main objective, compromising the network or accessing valuable assets like customer data, intellectual property or health-care data. To protect data in this final step, implement File Integrity Monitoring (FIM) to watch who accesses certain files and when.